NSA-created cyber tool spawns global ransomware attacks

Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.

The unique malware causing the attacks - which has spread to tens of thousands of companies in 99 countries, according to the cyber firm Avast - have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.

The source of the world-wide digital assault seems to be a version of an apparent NSA-created hacking tool that was dumped online in April by a group calling itself the Shadow Brokers. The tool, a type of ransomware, locks up a company's networks and holds files and data hostage until a fee is paid. Researchers said the malware is exploiting a Microsoft software flaw.

One or more anti-virus companies may have been hacked prior to WannaCrypt infecting 75000 Microsoft Windows computers in 99 countries. First, anti-virus software like Avast fails to make HTTP connections. Second, five million of ransomware emails are rapidly sent. Although many centralized email servers were able to stem the onslaught, many instances of anti-virus software had outdated virus definitions and were defenseless against the attack. Indeed, successful attacks were above 1%. Of these, more than 1% have already paid the ransom. Although various governments have rules (or laws) against paying ransom, it is possible that ransoms have been paid to regain access to some systems.

Also, file scrambling ransomware has similarities to REAMDE by Neal Stephenson. Although the book is extremely badly written, its scenarios (offline and online) seem to come true with forceful regularity.

UK National Health Service Paralysed by Windows Ransomware Attack

The Guardian and the BBC reportrespectively about a large-scale ransomware attack on its Microsoft Windows computer systems in England and Scotland. This particular piece of malware is called "WanaCryp0r 2.0" or WannaCry and encrypts the PC's hard disk and demands bitcoin to decrypt it.

About 40 hospitals, GP surgeries and other NHS organisations are affected. Patients have had operations cancelled, ambulances have been diverted and wards have been closed.

From one of the Guardian reports:

According to one junior doctor who works in a London hospital, the attack left hospitals struggling to care for people. "However much they pretend patient safety is unaffected, it's not true. At my hospital we are literally unable to do any x-rays, which are an essential component of emergency medicine."

The NHS has stressed that patients' electronic medical records have not been compromised.

A major ransomware attack has been reported, with targets including banks and NHS Trusts all being hit.

According to Russia Today, a number of NHS employees have been reported as being hit by the ransomware, while one user posted on Twitter a screenshot of the ransomware which asks for "$300 worth of Bitcoin".

A global cyberattack has hit international shipper FedEx, disrupted Britain's health system and infected computers in nearly 100 countries.

The ransomware attack hit Britain's health service, forcing affected hospitals to close wards and emergency rooms with related attacks also reported in Spain, Portugal and Russia. [...] [the attack] is believed to have exploited a vulnerability purportedly identified for use by the US National Security Agency (NSA) and later leaked to the internet. [...] Private security firms identified the ransomware as a new variant of "WannaCry"[pt] that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft's Windows operating system.[...] Leading international shipper FedEx Corp said it was one of the companies whose system was infected with the malware that security firms said was delivered via spam emails.

[...] Only a small number of US-headquartered organisations were infected because the hackers appear to have begun the campaign by targeting organisations in Europe, a research manager with security software maker Symantec said. By the time they turned their attention to US organisations, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Vikram Thakur said.

The Spanish government said several companies, including Telefonica, were targeted [...] a message that was purportedly sent to workers at Telefonica carried a subject line referencing a wire transfer and asked them to check a website for more details. That link — when launched on a Windows computer suffering from the vulnerability discovered by the NSA — unleashed the program that rendered files inaccessible.

As recently as last week, about 1.7 million computers connected to the Internet were susceptible to such an attack [...]

Among the organisations compromised by the ransomware were the UK's National Health Service and Russia's Interior Ministry.

Related Stories

A mysterious hacker or hackers going by the name "The Shadow Brokers" claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools. In a bizarre twist, the hackers are also asking for 1 million bitcoin (around $568 million) in an auction to release more files.

"Attention government sponsors of cyber warfare and those who profit from it!!!!" the hackers wrote in a manifesto posted on Pastebin, on GitHub, and on a dedicated Tumblr. "How much you pay for enemies cyber weapons? [...] We find cyber weapons made by creators of stuxnet, duqu, flame."

The hackers referred to their victims as the Equation Group, a codename for a government hacking group widely believed to be the NSA.

The whole episode screams elaborate SCAM, but maybe it is legit as Twitter chatter by some security experts seem to lean toward believing it. On the flipside, it doesn't appear as if many trust it enough yet to have coughed up bitcoins. Other hackers are suggesting the auction is made up of really old vulnerabilities; this is partially based on the "free" files being offered by Shadow Broker as proof of hacking the Equation Group. Or it could be a mix, old and new, to keep everyone off-balance. Another oddity, pointed out in a Pwn All The Things tweet, is that the "free sample" file size is actually larger than the auction file size.

Yet security pro Matt Suiche dived into the free files offered by Shadow Broker, then took to Medium to say, "Most of the code appears to be batch scripts and poorly coded Python scripts. Nonetheless, this appears to be legitimate code." Suiche said the main targets in the dump he reviewed "appeared to be Fortigate, TopSec, Cisco and Juniper firewalls." He described some of the codenamed-exploits such as Eligible Bachelor, Extra Bacon and Banana Glee. The latter, he pointed out, is "particularly interesting because it allows references to the JETPLOW explanation from the 2014 NSA's Tailored Access Operations (TAO) catalog."

I thought I'd got a remaindered, 1000 page, hardback book, from a prominent author, at an absolute bargain price because the publisher made a typo on the cover. Unfortunately, that typo is deliberate. It was made by one of the characters in the book and gets propagated widely in malware.

I read this book to the end so that I could provide a fair review for SoylentNews but I really wish that I hadn't. At around the 75% mark, I wanted to abandon the book. Around the 95% mark, I was more interested in my bookmark than the book itself. The problem is that the book is too detailed and yet not detailed enough. The plot flips from a semi-autobiographical character to a dodgy Scottish accountant for the Russian Mafia to a needlessly exotic Black, Welsh, lesser-known contemporary of Osama bin Laden. Internal motive is rarely explained and therefore Welsh's Islamic subjugation of another needlessly exotic character makes her seem like a really irritating Mary Sue when it should have been a highly researched study of cultural belief.

Until reading What ISIS Really Wants, I thought the book would have benefited highly from Mary Sue being killed in the first half. Either way, it may be beneficial to read this book while referring to an atlas. It certainly seems to be written that way.

"It's certainly possible that an NSA [National Security Agency] hacker goofed massively and left files in the wrong place at the wrong time. Human error can never be ruled out. Russian cybersleuths carefully watch for possible NSA operations online—just as we look for theirs—and even a single slip-up with Top Secret hacking tools could invite a disastrous compromise.

However, it's far more likely that this information was stolen by an insider. There's something fishy about the official story here. It's far-fetched to think a small group of unknown hackers could infiltrate NSA. Furthermore, explained a former agency scientist, the set-up implied in the account given by The Shadow Brokers makes little sense: "No one puts their exploits on a [command-and-control] server...That's not a thing." In other words, there was no "hack" here at all.

It's much more plausible that NSA has a Kremlin mole (or moles) lurking in its ranks who stole this information and passed it to Russian intelligence for later use. This isn't surprising, since NSA has known since at least 2010 of one or more Russian moles in its ranks and agency counterintelligence has yet to expose them."

Cisco Systems has started releasing security patches for a critical flaw in Adaptive Security Appliance (ASA) firewalls targeted by an exploit linked to the U.S. National Security Agency. The exploit, dubbed ExtraBacon, is one of the tools used by a group that the security industry calls the Equation, believed to be a cyberespionage team tied to the NSA.

ExtraBacon was released earlier this month together with other exploits by one or more individuals who use the name Shadow Brokers. The files were provided as a sample of a larger Equation group toolset the Shadow Brokers outfit has put up for auction.

[...] There is a second Equation exploit in the Shadow Brokers leak that targets ASA software. It is called EpicBanana and exploits a vulnerability that Cisco claims was patched back in 2011 in version 8.4(3). Nevertheless, the company published a new advisory for the flaw in order to increase its visibility. A third exploit, BenignCertain, affects legacy Cisco PIX firewalls that are no longer supported. Cisco investigated the exploit and said only versions 6.x and earlier of the PIX software are affected. Users who still have such devices on their networks should make sure they're running software versions 7.0 and later, which are not affected.

There is speculation that the hacks are actually leaks from a "second (third?) Snowden". A linguistic analysis of the "broken English" used by the Shadow Brokers determined that the text was written by someone pretending to not know English.

The tools, which enable hackers to exploit software flaws in computer and communications systems from vendors such as Cisco Systems and Fortinet Inc, were dumped onto public websites last month by a group calling itself Shadow Brokers.

The public release of the tools coincided with U.S. officials saying they had concluded that Russia or its proxies were responsible for hacking political party organizations in the run-up to the Nov. 8 presidential election. On Thursday, lawmakers accused Russia of being responsible.

Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland.

But officials heading the FBI-led investigation now discount both of those scenarios, the people said in separate interviews.

NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.

That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said. Since the public release of the tools, the companies involved have issued patches in the systems to protect them.

Investigators have not ruled out the possibility that the former NSA person, who has since departed the agency for other reasons, left the tools exposed deliberately. Another possibility, two of the sources said, is that more than one person at the headquarters or a remote location made similar mistakes or compounded each other's missteps.

Representatives of the NSA, the Federal Bureau of Investigation and the office of the Director of National Intelligence all declined to comment.

Harold T. Martin III is expected to appear at a federal courthouse in Baltimore on Friday for a hearing to consider whether he should remain in U.S. custody, as prosecutors announced in a court filing that they plan to file Espionage Act charges against him.

The FBI is investigating whether Martin may have transferred six bankers boxes' worth of paper documents and 50,000 gigabytes of electronic materials to anyone else, according to documents filed Thursday. So far, investigators said they have not found any connection to a foreign power. Martin's public defenders, James Wyda and Deborah Boardman, have said that he presents no flight risk and that "there's no evidence he intended to betray his country."

Martin, a former Navy reservist, has been in federal custody since late August. That's when FBI agents executed search warrants at his suburban Maryland home, uncovering what they describe as "overwhelming" proof he mishandled classified information. Among the materials they found: the personal information of government employees and a top-secret document "regarding specific operational plans against a known enemy of the United States and its allies," according to the court filing.

"TheShadowBrokers is having special trick or treat for Amerikanskis tonight," said the Monday morning post, which was signed by the same encryption key used in the August posts. "Many missions into your networks is/was coming from these ip addresses." Monday's leak came as former NSA contractor Harold Thomas Martin III remains in federal custody on charges that he hoarded an astounding 50 terabytes of data in his suburban Maryland home. Much of the data included highly classified information such as the names of US intelligence officers and highly sensitive methods behind intelligence operations. Martin came to the attention of investigators looking into the Shadow Brokers' August leak. Anonymous people with knowledge of the investigation say they don't know what connection, if any, Martin has to the group or the leaks.

[...] According to analyses from researchers here and here, Monday's dump contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA. The timestamps included in the leak indicate that the servers were targeted between August 22, 2000 and August 18, 2010. The addresses include 32 .edu domains and nine .gov domains. In all, the targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia. Vitali Kremez, a senior intelligence analyst at security firm Flashpoint, also provides useful analysis here. [...] Other purported NSA tools discussed in Monday's dump have names including DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, AND STOCSURGEON. Little is immediately known about the tools, but the specter that they may be implants or exploits belonging to the NSA is understandably generating intrigue in both security and intelligence circles.

On Monday, The Washington Post reported one of the most stunning breaches of security ever. A former NSA contractor, the paper said, stole more than 50 terabytes of highly sensitive data. According to one source, that includes more than 75 percent of the hacking tools belonging to the Tailored Access Operations. TAO is an elite hacking unit that develops and deploys some of the world's most sophisticated software exploits.

Attorneys representing Harold T. Martin III have previously portrayed the former NSA contractor as a patriot who took NSA materials home so that he could become better at his job. Meanwhile, investigators who have combed through his home in Glen Burnie, Maryland, remain concerned that he passed the weaponized hacking tools to enemies. The theft came to light during the investigation of a series of NSA-developed exploits that were mysteriously published online by a group calling itself Shadow Brokers.

[...] An unnamed US official told the paper that Martin allegedly hoarded more than 75 percent of the TAO's library of hacking tools. It's hard to envision a scenario under which a theft of that much classified material by a single individual would be possible.

Last August, an unknown group called the Shadow Brokers released a bunch of NSA tools to the public. The common guesses were that the tools were discovered on an external staging server, and that the hack and release was the work of the Russians (back then, that wasn't controversial). This was me:

Okay, so let's think about the game theory here. Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were I betting, I would bet Russia, and that it's a signal to the Obama Administration: "Before you even think of sanctioning us for the DNC hack, know where we've been and what we can do to you."

They published a second, encrypted, file. My speculation:

They claim to be auctioning off the rest of the data to the highest bidder. I think that's PR nonsense. More likely, that second file is random nonsense, and this is all we're going to get. It's a lot, though.

That's because the critical vulnerabilities for four exploits previously believed to be zerodays were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks. Those updates—which Microsoft indexes as MS17-010, CVE-2017-0146, and CVE-2017-0147—make no mention of the person or group who reported the vulnerabilities to Microsoft. The lack of credit isn't unprecedented, but it's uncommon, and it's generating speculation that the reporters were tied to the NSA. In a vaguely worded statement issued Friday, Microsoft seemed to say it had had no contact with NSA officials concerning any of the exploits contained in Friday's leak.

Original story follows:

The "Shadow Brokers" released files that purport to expose vulnerabilities in Windows and especially in Windows Server.

Numerous Windows hacking tools are also among the new batch of files the Shadow Brokers dumped Friday. In recent months, the mysterious group has been releasing hacking tools allegedly taken from the NSA, and security researchers say they actually work.

Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden "kill switch" for the malware, has been arrested by the FBI over his alleged involvement in another malicious software targeting bank accounts.

According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015.

The Kronos malware was spread through emails with malicious attachments such as compromised Microsoft word documents, and hijacks credentials like internet banking passwords to let its user steal money with ease.

[...] Hutchins, better known online by his handle MalwareTech, had been in Las Vegas for the annual Def Con hacking conference, the largest of its kind in the world. He was at the airport preparing to leave the country when he was arrested, after more than a week in the the city without incident.

Cybersecurity researchers at Symantec Corp. and FireEye Inc. have uncovered more evidence tying this month's WannaCry global ransomware attacks to North Korea.

The cyberattack that infected hundreds of thousands of computers worldwide was "highly likely" to have originated with Lazarus, a hacking group linked to the reclusive state, Symantec said. The software used was virtually identical to versions employed in attacks earlier this year attributed to the same agency, the company said in a report late Monday. FireEye on Tuesday agreed WannaCry shared unique code with malware previously linked to North Korea. "The shared code likely means that, at a minimum, WannaCry operators share software development resources with North Korean espionage operators," Ben Read, a FireEye analyst, said in an emailed statement.

[...] The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to mount a second attack because so many users of personal computers with Microsoft operating systems couldn't or didn't download a security patch released in March labeled "critical."

tl;dr: If you have not already patched your Windows computer(s), you may be at risk from a new variant of the WannaCrypt ransomware worm which lacks a kill switch and was seen over the weekend. Sysadmins are preparing for a busy Monday when countless other users return to work and boot up their PC.

WannaCrypt (aka WCry), is a ransomware worm that wreaked havoc across the internet this past weekend. It disabled Windows computers at hospitals, telecoms, FedEx, and banks (among many others). Files on user's machines were encrypted and the worm demanded $300 or $600 worth of Bitcoin to decrypt (depending on how quickly you responded). Reports first surfaced Friday night and were stopped only because a researcher discovered a domain name in the code, which when registered, caused the malware to stop infecting new machines.

We're not out of the woods on this one. Not surprisingly, a variant has been seen in the wild over the weekend which has removed the domain check. Just because you may not have been hit in the initial wave of attacks does not necessarily mean you are immune.

Back in March, Microsoft released updates to Windows to patch vaguely-described vulnerabilities. Approximately one month later, a dump of purported NSA (National Security Agency) hacking tools were posted to the web. The WannaCrypt ransomware appears to be based on one of those tools. Surprisingly, the Microsoft patches blocked the vulnerability that was employed by WannaCrypt.

In a surprising move, Microsoft has just released emergency patches for out-of-mainstream-support versions of Windows (XP, 8, and Server 2003) to address this vulnerability.

What actions, if any, have you taken to protect your Windows machine(s) from this threat? How up-to-date are your backups? Have you tested them? If you are a sysadmin, how concerned are you about what you will be facing at work on Monday?

Various news outlets report the release ofWannakey, a decryption utility for files encrypted by the WannaCry ransomware. According to the author of the software, it "has only been tested and known to work under Windows XP."

From the Wired article noted below:

Now one French researcher says he's found at least a hint of a very limited remedy. The fix still seems too buggy, and far from the panacea WannaCry victims have hoped for. But if Adrien Guinet's claims hold up, his tool could unlock some infected computers running Windows XP, the aging, largely unsupported version of Microsoft's operating system, which analysts believe accounts for some portion of the WannaCry plague.

[...] Guinet says he's successfully used the decryption tool several times on test XP machines he's infected with WannaCry. But he cautions that, because those traces are stored in volatile memory, the trick fails if the malware or any other process happened to overwrite the lingering decryption key, or if the computer rebooted any time after infection.

I hope the shit admins and beancounters who command them end up having to explain paying millions for not giving a flying fuck about securing some of our most sensitive personal information. It's never going to change until their pockets get hit.

Judging by turgid's bit, it will become apparent soon if anybody died as a result of this. That's what we need: cyber deaths in hospitals. Long predicted, now delivered to you courtesy of the NSA's competing and counterproductive missions.

Jeremy Hunt has been accused of ignoring “extensive warning signs” that could have an unprecedented global cyber-attack that plunged the NHS into chaos this weekend....The shadow health secretary, Jonathan Ashworth, said concerns had been flagged repeatedly about the NHS’s outdated computer systems, which he said had left it vulnerable to the virus. In a letter to Hunt on Saturday, he wrote: “As secretary of state, I urge you to publicly outline the immediate steps you’ll be taking to significantly improve cybersecurity in our NHS.

---

"Nobody was fired for buying Microsoft". I think there will be some heads to roll for not buying Microsoft [mirror.co.uk] (don't go there if you can avoid it).

The Tories cut security support for the NHS’s outdated computer system a year ago, despite warnings it would leave hospitals open to hackers , it was claimed.

The Government Digital Service, set up by David Cameron , decided not to extend a £5.5million one-year support deal with Microsoft for Windows XP.

NHS bosses were told to replace the 14-year-old system or take out a separate deal with Microsoft.

An April 2014 letter from the Cabinet Office and Department of Health to health­care chiefs read: “It is imperative your organisation understands the risk placed on it should the decision be not to take out a [new Microsoft deal]....GDS said at the time: “All departments have had seven years’ warning of the 2014 end of normal support and this one-year agreement was put together... to give everyone a chance to get off XP.”...A Sky News probe found seven NHS trusts spent nothing on cyber security in 2015.

Somewhere in the UK there is a warehouse stuffed full of GPs’ referral letters and blood test results diagnosing the health secretary with terminal incompetence. But as it has yet to be found, Jeremy Hunt had to limit his scope to the 700,000 NHS documents that have just turned up after going missing in action for five years in answer to Labour’s urgent question in the Commons.

“Absolutely nothing went missing,” he reassured MPs. All that had happened was that hundreds of thousands of confidential pieces of medical information had accidentally been sent to the wrong place without anyone noticing. But it was no biggy. As far as he knew, no one had died – or if they had, their death certificates had also gone AWOL, so it was much the same thing. And what it really proved was how many unnecessary tests the NHS were conducting each year. Just think of the potential savings. A couple of avoidable deaths had to be a price worth paying for not bothering with 700,000 bits of paperwork.

Hunt was rather less cavalier with his own reputation. “I was made aware of the situation in March last year,” he sobbed. And he had begged and begged his departmental officials to let him tell the country. But they had said to him: “You mustn’t do that, Jeremy, because otherwise every hypochondriac in the country will be ringing up their GP to find out if they’ve got cancer after all and we’ll never get round to finding out just how big a cock-up you’ve made. Not that you have made a cock-up, of course.”

The Government Digital Service, set up by David Cameron , decided not to extend a £5.5million one-year support deal with Microsoft for Windows XP.

Amber Rudd, minister of interior says it's a prioritized questions to find out who's responsible and put them to justice. Britain were hit hard when IT-systems in hospitals went inoperable.

Hypocrites?That 5.5 million GBP could have saved a lot of trouble. Not to mention a program to transform all Microsoft Windows usage everywhere in hospitals into solid Unix platforms. Perhaps even ReactOS or Wine is a alternative.

I can really see when the military get the same kind of infection. They will just sue the enemy! ;-)It's a way to operate that just won't work.

Well, yes, the admins who were running insecure networks carry some fault. So does the government, that failed to disclose a weakness so that it could be repaired. This ought to be a lesson (but won't be) for all those clueless politicians who think that backdoors in encryption algorithms are a good idea. Backdoors never stay hidden, period.

But you know what strikes me? This is where international agencies like the NSA should be earning their keep. If they, and their counterparts in other affected countries, cannot trace the people behind this, then WTF are we paying their salaries for?

The people behind these ransomware attacks are certainly all part of an extended community. If their members were to start...disappearing...one after another, the community might just decide that the risk isn't worth the payday.

This is where international agencies like the NSA should be earning their keep. If they, and their counterparts in other affected countries, cannot trace the people behind this, then WTF are we paying their salaries for?

Uh, to spy on citizens, thereby increasing and consolidating governmental power, with the ultimate aim of producing a "benign" police state.

I thought that was their obvious purpose. The only thing more nefarious-sounding than "National Security Agency" is the term "Homeland Security."

I kinda like that idea - but if they start on one community, who is to say they won't start on another community? They came for the Jews, and I didn't speak up . . . .

But, you're right. The NSA has all those resources available, which are wasted on silly crap. Make a phone call, so that Grandma can talk to her distant cousin in Fuckistan, and the NSA starts tracking all your phone calls? FFS, what a waste.

Issue here has nothing to do with closed/open architecture, and everything to do with bad original design (Microsoft), bad internal security (NSA), idiot users (who open phishing emails), rent-seeking MBA's/PHB's who don't budget for adequate security, and lazy/incompetent sysadmins who forego/delay security patches.

Obviously the whole world needs to run FreeBSD with pfSense and without systemd, right?

As an admin in a large 3 letter computer company in a previous life, updates had to be agreed on with all stakeholders via a change control process. The end result was that updates were applied twice a year, on a Sunday morning at 4am.

I expect the NHS to be just as conservative, if not more so. All an admin can do is complain and then clean up the mess when the shit hits the fan.

I too was in such a situation, and always giggled with sadistic glee when we got hit with childishly preventable problems. As the business twisted in the wind while we "cleaned up the mess", it was positively fascinating watching the blizzard of company-wide memos from horror-stricken C-levels trying to do damage control on something they brought on themselves.

Any CIO/CTO who agrees to an update regimen as you describe is a boob, and deserves the outcome. Minions, meanwhile, can hopefully soak up the overtime pay and enjoy the new shop jokes to tell over a beer.

Let's narrow it down a bit. Don't blame the sysadmins this time, they can't apply patches that don't exist. Those rent seeking MBAs didn't renew the extended support contract nor did they provide a budget to migrate away from XP.

And let's not forget that MS perfected the email virus. Way back in the olden days, in spite of persistent hoaxes, jokes, and paranoid ramblings, you couldn't get a virus from email or any other text document. We all had a good laugh about the honor system virus and, of course the good times virus. It took the dumbest (and possibly most expensive) series of design decisions in the history of computing on the part of MS to bring all of this to life. It's not as if they weren't warned and strenuously urged to reverse their decision to make email and documents executable. They were also warned that blurring the line between opening something and running something was a very bad idea. Then just to make sure to enable the coming avalanche of email horrors, they hid the distinction between an executable and a file that executable might open.

Yes, the NSA gets it's share of the blame for developing a cyberweapon and then leaking it to the world. Imagine if Los Alamos had accidentally published everything you needed to build an atomic bomb shortly after Hiroshima.

The users aren't blameless provided they have received training about the dangers of clicking on emails, but they were set up by MS's series of blunders.

I'm retired now, but using your own device or software at work was strictly forbidden. I need MS Office now because magazines demand stories be in .doc format. I write in Lo and Oo but need MS Word to make sure it will open the files. Business (most businesses, anyway, there are exceptions, like Ball) and governments have mostly standardized on the decidedly non-standard Microsoft.

I find it amusing when people ask when the "year of Linux on the desktop" will be, because if you lay your phone on a desk, you already have either Linux or BSD on the desktop depending on whether it's an iPhone or Android.

I've been using Linux at home since Mandrake. I hate what they've done to KDE. I'm really glad Lo will now usually write .doc files all right. It didn't used to, Oo still won't AFAIK.

I suspect your tongue is firmly in your cheek, but want to point out to others that the statement is a salesman's lie. For instance, Alieve is identical to generic naproxin sodium, but costs three times as much.

You do usually pay for what you get, and often pay more than what you get.

According to Avast 99 countries are affected. Worst affected is Russia, Ukraine and Taiwan. Also British hospitals, Spanish telephone operator Telefónica, and US transportation company Fedex has been disrupted.

The French car manufacturer Renault has been forced to stop the manufacturing in Slovenia and at facilities in France, after being hit according to AFP. In Russia banks and departments has been affected.

This is the largest ransomware attack says Rich Barger at the IT-company Splunk, to Reuters

Unlocking cost circa 300–600 US$.

The used hole had a patch in 2017-03-14. (but then who trusts Microsoft to fix more than they screw up)

When will Microsoft addicts take the hint that what they are using is digital poison?

Correct. But, there's a difference between targeting Microsoft and Linux. With Microsoft, you wait, and wait, and wait, hoping that Microsoft might offer a patch for the hole in their system. With open source software, there will probably be a patch pretty soon. If the patch is not forthcoming, you can get on the mailing lists, to see WTF is taking so long. And, if it appears that the patch isn't coming, or not coming quickly enough, you can take mitigating actions. Worst case scenario, you can make the patch yourself. Or, worst-worst-case scenario, everyone says, "Fuck it, this shit's to hard, let's just make a new application that does something similar, but works differently."

How many times have we seen Google's boffins go ahead and make public a hole in Redmond's ecosystem after waiting 90 days for MICROS~1 to patch that?

...and any time that an exploit has a logo, that's MSFT fanboys' work.Those guys like to make a big deal of every flaw in Linux.Just imagine how busy they'd be if they did the same thing for every MICROS~1-specific flaw.

...better still, how about putting that manpower into fixing their own bugs?

Bodo Moeller and Adam Langley of Google prepared the fix for Heartbleed. The resulting patch was added to Red Hat's issue tracker on March 21, 2014[...]Neel Mehta of Google's security team secretly reported Heartbleed [to OpenSSL, its maintainer] on April 1, 2014[...]Stephen N. Henson applied the fix to OpenSSL's version control system on 7 April

As Anonymous has posted, Heartbleed probes that the thousands eyes is a myth.

There are four reasons why OSS syztems are safer than microsoft.

OSS users are more advanced. There is no secure system when to the message "This program demands to bypass security and change the system" user clicks yes. Microsoft average user is more likely to click yes than Linux or freebsd average user.

A OSS user doesn't usually run as root. Many microsoft workstations are run with adminitrator powers, even nowadays, let alone old XP. Windows comes from domestic world, where user was alone so he had to be almighty, and also was not a technician, so they couldn't bother him with security complexities and tough security policías.

Target windows, target 95% of world. Target linux, freebsd, target 5%. Which system are criminals going to devote more time to investigate how to crack?

I looks like NSA works closely with Microsoft to keep software hackeable

A. They're hackable, any computer is, but they're far harder to crack than Windows. My guess is Android is easier than Android, since you don't have to jailbreak it to install software; you could get a dodgy APK file from the internet.

B. Correct, Linux is not an OS, it's a kernel. Ubuntu, Red Hat, Android ar OSes. Android on the desktop is no different than Red Hat on the desktop; Linus is the kernel for both.

As a criminological concept, target hardening has some serious deficiences. For one, it only works against opportunistic or amateurish criminals. A determined, clever criminal would probably not be deterred, and some cleverer ones might even be attracted to hardened targets. [...] Some targets are relatively unhardened, or not hardened in depth. Other, unhardened targets (ones you might never think of) become targets. Displacement effects are, of course, quite common in crime prevention, but they occur in numerous ways with target hardening. Potential offenders simply go elsewhere.

I strongly disagree. 1- Given that most people aren't nerdy enough to upgrade to a unix-like. 2- Given that many people "can't afford" Mac. 3- Given that people are "trapped" on Microsoft 4- Given that Windows X sucks more ass than anything Microsoft has ever published in the past.

Might we not place the blame squarely on Microsoft? The corporation that worked so very hard to create one of the biggest monopolies in history bears responsibility for the results of that monopoly.

Think what life MIGHT be like, had Microsoft not built such a strong monopoly. Digital Research might still be around, with it's own operating system, and Windows could be just a window manager which could be installed on DrDos. More people would still be savvy enough to actually install a window manager on top of an operating system. And, as a result, a vulnerability which affected all Microsoft OS's might only affect 20, or 40% of computers, instead of virtually all computers.

How many other commercial operating systems folded, and/or never came to exist, because of Microsoft? OS/2 is still around, kinda, but it enjoys an insignificant percentage of the market.

And, let's be clear about one thing: Microsoft solutions are NOT the "best" by any stretch of the imagination. Microsoft was stuffed down our throats (or up our asses) by force. That IS the nature of a monopoly.

Re:Microsoft Patch(Score: 2) by Runaway1956 on Sunday May 14, @03:58AM

You make that sound like a "good thing". Windows 10 telemetry and ad serving is a "bad thing". Windows 10 is not an upgrade at all, it's a serious downgrade. Why would anyone in their right mind compromise the security of their system, by effectively giving Microsoft permission to read (and write) anything on their computer?

Isn't it a bit misleading to try and pin this on the NSA? I might have misunderstood the entire news story but from what I can tell it's not the NSA that developed the Malware, they found the feature - I'm certain they exploited it for something - they even gave it a cool name (eternalblue). But this isn't or wasn't some fast way to increase some black budget post. If someone should be blamed for this it would be the Shadow Brokers that released it after their blackmail scheme backfired (as I recall they wanted to sell it, didnt work - so they just released parts of it). Microsoft for writing shitty code. Whomever wrote the Malware. So there is enough blame to go around really. I just don't see any of it landing on the NSA. Do we blame other people that find faults (or bugs) in software (and possibly exploit it -- possibly some blame in that particular case)? Normally we don't. So to blame the NSA for this seems a bit of a stretch to me, even tho it's apparently the popular thing to do.

Interesting parts in the story is the lax attitude towards patches, updating and security in several large organizations and companies. But then it costs a lot of money. Like this won't. If they are not working around the clock now it's going to be an interesting Monday at the office when this thing start to spread like wildfire again as people come back to work.

Isn't it a bit misleading to try and pin this on the NSA? I might have misunderstood the entire news story but from what I can tell it's not the NSA that developed the Malware, they found the feature - I'm certain they exploited it for something

Hold right there... because there is why NSA bears responsibility.If you, a governmental agency find a vulnerability, the best way to protect your citizens is not to exploit/weaponize it but to responsibly disclose it to the author to have it plugged ASAP.No ifs, no buts... any other ways will expose the people you sworn to protect to risks like this.

Regardless of appearances, the US national security state isn't really interested in defense of anybody but themselves. Their idea of defense is "kill them before they kill us", which means their real interest is in offense, and that is why they keep any and all vulnerabilities they discover to themselves. Not disclosing leaves citizens vulnerable, of course, but that helps out the portion of the national security state that treats the citizens as a potential enemy because they are outside of the national security state.

The nations of the world have recently united in declaring the continent of Antarctica "off limits" to military preparations. We could extend this principle to an even more important sphere. National vested interests have not yet been developed in space or in celestial bodies.

The big mess here is that the other half of the NSA’s mission is actually to help protect the United States from cyberattack. Here they have not only failed utterly, but are in fact guilty of all but betraying that mission. But I suppose whatever military-type in charge here might well quip the way some Vietnam War major quipped about it becoming necessary to destroy the town in order to save it.

Win XP is immune to this - patch is redundantWin XP is immune to this - patch is redundant(Score: 1, Offtopic) by number6 on Saturday May 13, @06:11PM
(1 child)

I highly recommend all Win XP users to run this simple one-click program: Seconfig XP [sytes.net]

It is a fantastic little tool for quickly hardening your network security settings.

Really simple to use... just start it, check all the boxes and click the "Apply" button.

If you want a (very nice) informative read of exactly what this prog does to your system and why, click the "Help" button.

If you click the "Apply" button, it will open a dialog box "Apply changed settings and restart computer [Yes] [No]".

If you want to revert your system back to previous state, run the prog again and click the "Restore" button; the prog has backed up your previous settings to some registry keys.

To test if Seconfig XP actually does its job .........

Run Seconfig XP and click its "Status" button causing it to open a "Current status" message window ...and leave it openalso open a CMD window and run this command: 'netstat -a -n' ...and leave it openPlace the "Current status" and "CMD" windows side-by-side and save a screenshot of them to your desktop.

Run Seconfig XP and apply the settings.

After reboot, run a new instance of "Seconfig XP status" and "CMD netstat" windows

Compare to your screenshot.

Re:Win XP is immune to this - patch is redundant(Score: 1) by anubi on Sunday May 14, @09:33AM

Reminds me of dialogues from the original GitSReminds me of dialogues from the original GitS(Score: 2) by FunkyLich on Saturday May 13, @09:15PM
(1 child)

Reading the article - to be entirely correct, the summary of the article - I just thought of these two pieces of dialogue in the original "Ghost In The Shell" movie of 1995.

* * * Dialogue 1 * * *Puppet Master: I refer to myself as an intelligent life form because I am sentient and I am able to recognize my own existence, but in my present state I am still incomplete. I lack the most basic processes inherent in all living organisms: reproducing and dying.

Major Kusanagi: But you can copy yourself.

Puppet Master: A copy is just an identical image. There is the possibility that a single virus could destroy an entire set of systems and copies do not give rise to variety and originality. Life perpetuates itself through diversity and this includes the ability to sacrifice itself when necessary. Cells repeat the process of degeneration and regeneration until one day they die, obliterating an entire set of memory and information. Only genes remain. Why continually repeat this cycle? Simply to survive by avoiding the weaknesses of an unchanging system.

* * * Dialogue 2 * * *Togusa: There's something I've wanted to ask ever since I started. Why did you transfer a guy like me from the police force?

Major Kusanagi: Because we need a guy like you.

Togusa: Huh?

Major Kusanagi: Number one: You're an honest cop. Number two: You've never stepped out of line. Three: You're a family man. And, except for the slight brain augmentation, your body's almost completely human. If we all reacted the same way, we'd be predictable. And there's always more than one way to view a situation. What's true for the group is also true for the individual. It's simple. Overspecialise and you breed in weakness. It's slow death.* * *

And immediately I thought: Why should everything be so vulnerable to this latest ransomware attack? Because after all, all the affected machines are nothing more than the same system copied and replicated over and over and over again.

Re:Reminds me of dialogues from the original GitS(Score: 0) by Anonymous Coward on Sunday May 14, @05:15PM

US-CERT posted Advisory TA17-132A [us-cert.gov] which gives significant technical detail as to the workings of WannaCrypt, as well as detection and mediation information.

I found one of the bits from the advisory of particular interest:

The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.

The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.[emphasis added]

Given that the tool uses random (or more likely, pseudo-random) keys to encrypt each file, it's highly unlikely that paying the ransom would (even if the miscreants wanted to do so) allow decryption.

I imagine that these attacks could serve as a competency test, both for users (don't click on links in email), and for IT administrators (have quality, well-tested, frequent back ups).

I'm glossing over the SMB vulnerability [microsoft.com], since a fix has been available for almost two months. I would say that since Microsoft has bundled its updates in an attempt to force its spying^W telemetry code down everyone's throat, it wouldn't surprise me if this update wasn't as widely implemented as it should be.

Microsoft continues to make decisions that compromise the security of their users and products. As a former MS employee, this doesn't surprise me. Microsoft is, and has always been, run by the folks with sales and marketing backgrounds. I could elucidate, but I think my point is clear.

Wouldn't that require some kind of information to be sent back to the ransomware writers in order for them to be able to provide the un-encrypt code?And the question then becomes, how is that return channel setup.

Now Microsoft President and Chief Legal Officer wants a Digital Geneva Convention [microsoft.com] to protect computer systems. No mention of their own idiotic engineering or rather total lack of it. In addition to their slimy juridical dealings using "audits" to blackmail corporations.

It's often the case of equipment in laboratories. Think machines doing blood analysis at (British?) hospitals. Where the many million of dollars machine runs on a particular version of Microsoft.. XP? anyway, patching it will make it stop working or at least risk just that. Obviously if you try to change the operating system, it will no longer work. This could be because a combination of userland software that needs a specific software infrastructure and kernel drivers needing a specific Windows kernel.

On top of that, the machine may need to be networked with other Windows machines to report results. Because the program to handle patient journals is only available for that shit platform. And of course that program also have issues with patches.

People should demand other operating systems for lab equipment than a proprietary one. Because those can't be sufficiently be maintained. But that requires people to make the PHB and MBAs to follow professional advice and also admitting this is something they lack knowledge in. Which snowflake VIP just can't take with their grandiose personality disorder.

Nor will even a competent developer be allowed near such machine to try to develop a free driver and software such that the machine may continue to be used after official support from Microsoft has ended. Because it may be the only one that facility have and needs to run daily business and certification may be lost on unauthorized software.